Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
Because it thought it was supposed to,...that it was time to shutdown,...it was "finished". Probably because the Application that owned the session said,.."Ok,..I'm done,..good bye".
There is nothing more that can be said with the information that has been given.
there is a way to find out why is disconnecting. when it pass outside the isa server its works but when it passing throught the isa server i got this error
its an desktop application called Entrust who call a web browser. When the webbrowser show up it made the connection to the governement of canada import export permit website
for that i need to open some ports to make it work.
like i said before without the isa server its work , with the isa server it doesnt work
i wondering if there a way to know what can differt between this two mode that make the connection close
Firewall/Proxy ports – open to new Entrust Certificate Authority URLs: Authority=ca-ac.gss-spg.gc.ca+829 Manager=ca-ac.gss-spg.gc.ca+709 Server=ldap.gss-spg.gc.ca+389
Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
It probably won't work over a rule that requires authentication, so make it an "All Users" Rule.
Make sure the Firewall Client is installed on the EnTrust machine so it can handle LDAP. It may also work as a SecureNAT Client instead of having the Firewall Client. The point is that LDAP will not work with a Web Proxy "only" Client.
Create a Computer Object or a Computer Set that represents or contains the Server that runs EnTrust.
Create a Computer Object or Computer Set that represents or contains the Destination Computers (or IP Range, or subnet).
Then the Rule would look like this:
From: <source computer object> To: <destination computer object Protocol: HTTP, HTTPS, LDAP (not LDAP Server) Users: All Users
Place this Rule "above" any other Rule using HTTP, HTTPS, LDAP that requires user authentication.
In the Monitoring Log set the filter to only show traffic from the EnTrust Computer IP#. Watch for problems in the logs.
yes but i just be able to reach someone from the software ( i was lucky) and he told me that entrust modify packet and isa reject this packet because of that
Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
I think he is wrong. What does "filter out EntrustId of the incoming packets" even mean? What? Where? How? You have to use the MonitoringLog as I described to troubleshoot.
he told me that isa server his removing the entrust id from the incoming packet from the web server to my computer thats why i get security error missing token data
he told me that im not the first one and you have to do that.
you must specify isa server to not remove entrust id
Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,
if he said you´re not the first one, ask him what the others did to solve this issue. Did you try to google around? You can check these packets using a net cap, like wireshark.
Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
My thoughts exactly.
The Tech should have documented what had to be done with the "others" so then when the next one came along he would have an answer for them. That's what a tech support person is supposed to do when they support their products.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA 2006 Firewall] >> General >> FWX_E_GRACEFUL_SHUTDOWN 
FWX_E_GRACEFUL_SHUTDOWN - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread